Networked computers are vulnerable to malicious computer code attacks, such as worms, viruses and Trojan horses. As used herein, “malicious computer code” is any code that enters a computer without an authorized user's knowledge and/or without an authorized user's consent.
Malicious mobile executable files comprise a major security threat. Mobile executable files are typically not signed, and do not carry a digital signature. Thus, the identity of their author(s) is unknown, and they should be suspected of being potentially malicious. For example, worms are often spread as a form of malicious mobile executable file.
Malicious mobile executable files such as worms often utilize open shares to spread themselves within networks. However, legitimate code can also be copied within a network this way. It is advantageous to be able to determine whether code remotely copied across a network is malicious or not, so that malicious code can be blocked and eliminated, and legitimate code copied as desired.
Some malicious code management strategies involve determining a suspicion level of mobile files, and blocking files that appear to be malicious. This type of blocking system can convict and block certain operations of malicious mobile code upon the detection of their propagation, and upon reaching a sufficient level of confidence about the suspiciousness of their operations. Blocking systems typically attempt to identify worms spreading across a network by comparing incoming binary files with the a known image of a worm, or an image of the copying application. This technique is sufficient to identify worms that copy themselves without self-modification and without employing identity hiding techniques. However, many of today's worms are polymorphous or metamorphic, changing their binary image as they spread. Dynamic worms pose a challenge to today's behavior blocking systems.
Furthermore, future generations of computer worms are likely to be even harder to detect than contemporary worms, thus providing an ongoing challenge to behavior blocking systems. For example, a future worm might be designed such that it communicates with a normal web server through the legitimate hypertext transfer protocol (HTTP), and then downloads different malicious binary images to local random access memory only. Then, the worm could be downloaded binaries to open remote network shares, without writing them to disk locally. Such a case would create a big challenge to contemporary behavioral based worm detection systems.
There exist other scenarios (actual and potential) that are also not effectively covered by current behavior blocking systems. For example, consider the following case. A worm arrives at a local machine, and the local blocking system classifies the file as being suspicious, but does not convict it as being malicious. The worm is either polymorphous or capable of downloading new malicious binaries from the Internet to local random access memory. The worm then copies new malicious binaries to remote open network shares. The behavior blocking system on the remote computer allows the new binaries to be copied, since the parent application is classified as being only suspicious and is not yet convicted. Later, the local copy of the worm is convicted by the behavior blocking component on the local computer. The new remotely copied binaries are still not convicted on the remote computer, and are considered as being only suspicious applications. The remote user then activates the remote copies on the remote machine, and the worm attacks that computer and spreads further to other computers. So, although the worm is eventually convicted on the local machine, its distributed new binaries are not convicted, and are still active within the outer network.
What is needed are methods, systems and computer readable media that extend a malicious could blocking system to be able to detect and block dynamic malicious code, such as polymorphous worms, metamorphic worms, worms that copy download new binary images to remote computers and worms that are only later convicted locally.